Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp746058ybz;
        Wed, 15 Apr 2020 18:03:41 -0700 (PDT)
X-Google-Smtp-Source: APiQypLbcfTGXqOlaI/D9NQy/bJU2k9hUjsuqB8sOAYqUlffMfP5DhJemFGqehPoBjfX8x7ILPXP
X-Received: by 2002:aa7:d3d6:: with SMTP id o22mr966913edr.52.1586999021785;
        Wed, 15 Apr 2020 18:03:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586999021; cv=none;
        d=google.com; s=arc-20160816;
        b=OphUZ/hEi2Q4/LEJMN4hsuC5Wl/7OzFASpXT7v4TwaC4Y8e+M+pwOYc4SUBKmPdims
         Ykj1evvlyBWbI8sKCvQTz4EYuHY1FVG1F5QrBmSTYCiO3AWXMIIGNkHaTjEGLGEqSff/
         pfWtJs6V0cfL+RuZBJmQJ01rWOm+xqFE2LxyE3CorPXqz0S19GNAU9M3bRa5+SbqZfvJ
         VQN7UITd7kIQph5dJjuNc+UMNHagSgEsO62cx6ZrTXQ+42O6dXz3zFd/w9AGcVZsDu9g
         N+ZO6/AKWEmQS5EwBxxCErL2omq84X93URGmiU2K8TgViOn1/7B0AN7V1KqKN4jBwWH4
         p2xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature;
        bh=e4dRUu2wgTZTB/ox2huWaCLoCqjAmEMWUdAH01eCSZU=;
        b=JrCDNPbY2uTgeLUHB6gwPqRHAQsCSNLayoT6/haaOHNEb/Gzv0al328KqkWyJZxnyl
         cf9WNtMFvNtkv2VkoqDTY/3Hrqv/Vg4SfcITgHnuGiXzPWM5mxv0knRBTYVgNSXSQBlr
         BRSQ1BBWtHCL3OI9+OBQ8IGlqikoZep0541UhLBlv+yltyKTr4JWQ/0LHxwMEOrBCqTh
         IQK4amDJrw5CJXTJHAxSTZM+bG+bz9KiiRHaCUXFgjg5FayLkifzHjkk1fqPiUuRSr2L
         k2gbJ8kUL9n+uFM5sH5HwL8rEjilTK22oA3MmxGrU/y3rn2nWk9NFr8QrnBT9FV2B9mj
         ZV5g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=p1W20aHm;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bm20si11480667edb.476.2020.04.15.18.03.17;
        Wed, 15 Apr 2020 18:03:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=p1W20aHm;
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2406557AbgDOUG1 (ORCPT <rfc822;rosenp@gmail.com> + 99 others);
        Wed, 15 Apr 2020 16:06:27 -0400
Received: from aserp2120.oracle.com ([141.146.126.78]:47522 "EHLO
        aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2406385AbgDOUGZ (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Wed, 15 Apr 2020 16:06:25 -0400
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
        by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03FK4IDq189273;
        Wed, 15 Apr 2020 20:06:21 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type :
 mime-version : subject : from : in-reply-to : date : cc :
 content-transfer-encoding : message-id : references : to;
 s=corp-2020-01-29; bh=e4dRUu2wgTZTB/ox2huWaCLoCqjAmEMWUdAH01eCSZU=;
 b=p1W20aHmBDxvd1bIigDUXhVP7yQWIwfpSHRb0C/xj/OweGQ7AM7Mr1oY1Sbzc7E/B7Vh
 22iO+Y4trDWOfEELpg0/McoXPrSIum4MYPNBJZxhVLbnQs37mtbTv/ugnWGTWmeF1ibx
 QFYfJOpRQ9Uaahyts0xueuQMmD7NC2q3RAefVOLKhUdJzB8AP5AYRR/22nHeGYAhBW7V
 FoDcM7EwcAG6L7ri+8I9LEBdnnEr8K4Ca90W6G6aAlqDmcI/P6ghNTIlXPL+DAUYqt5B
 KOOlg5QikxmHFXyPI2A0ur3SXdFeJMjGgvvxHhNL5SuW5ytH75SIlHS42x8YaLDtfgQ6 hA== 
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70])
        by aserp2120.oracle.com with ESMTP id 30dn95nkp1-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 15 Apr 2020 20:06:21 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1])
        by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 03FK26pq180451;
        Wed, 15 Apr 2020 20:06:20 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])
        by aserp3020.oracle.com with ESMTP id 30dn9cw341-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 15 Apr 2020 20:06:20 +0000
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
        by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 03FK6Imk024647;
        Wed, 15 Apr 2020 20:06:19 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 15 Apr 2020 13:06:18 -0700
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: GSS unwrapping breaks the DRC
From:   Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <20200415192542.GA6466@fieldses.org>
Date:   Wed, 15 Apr 2020 16:06:17 -0400
Cc:     Jeff Layton <jlayton@kernel.org>,
        Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0775FBE7-C2DD-4ED6-955D-22B944F302E0@oracle.com>
References: <DAED9EC8-7461-48FF-AD6C-C85FB968F8A6@oracle.com>
 <20200415192542.GA6466@fieldses.org>
To:     Bruce Fields <bfields@fieldses.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9592 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=774 mlxscore=0 adultscore=0
 spamscore=0 phishscore=0 bulkscore=0 suspectscore=0 malwarescore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000
 definitions=main-2004150149
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9592 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 clxscore=1015
 malwarescore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0
 mlxscore=0 phishscore=0 spamscore=0 impostorscore=0 suspectscore=0
 mlxlogscore=823 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2003020000 definitions=main-2004150149
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org



> On Apr 15, 2020, at 3:25 PM, Bruce Fields <bfields@fieldses.org> =
wrote:
>=20
> On Wed, Apr 15, 2020 at 01:05:11PM -0400, Chuck Lever wrote:
>> Hi Bruce and Jeff:
>>=20
>> Testing intensive workloads with NFSv3 and NFSv4.0 on NFS/RDMA with =
krb5i
>> or krb5p results in a pretty quick workload failure. Closer =
examination
>> shows that the client is able to overrun the GSS sequence window with
>> some regularity. When that happens, the server drops the connection.
>>=20
>> However, when the client retransmits requests with lost replies, they
>> never hit in the DRC, and that results in unexpected failures of non-
>> idempotent requests.
>>=20
>> The retransmitted XIDs are found in the DRC, but the retransmitted =
request
>> has a different checksum than the original. We're hitting the =
"mismatch"
>> case in nfsd_cache_key_cmp for these requests.
>>=20
>> I tracked down the problem to the way the DRC computes the length of =
the
>> part of the buffer it wants to checksum. nfsd_cache_csum uses
>>=20
>>  head.iov_len + page_len
>>=20
>> and then caps that at RC_CSUMLEN.
>>=20
>> That works fine for krb5 and sys, but the GSS unwrap functions
>> (integ_unwrap_data and priv_unwrap_data) don't appear to update =
head.iov_len
>> properly. So nfsd_cache_csum's length computation is significantly =
larger
>> than the clear-text message, and that allows stale parts of the =
xdr_buf
>> to be included in the checksum.
>>=20
>> Using xdr_buf_subsegment() at the end of integ_unwrap_data sets the =
xdr_buf
>> lengths properly and fixes the situation for krb5i.
>>=20
>> I don't see a similar solution for priv_unwrap_data: there's no MIC =
len
>> available, and priv_len is not the actual length of the clear-text =
message.
>>=20
>> Moreover, the comment in fix_priv_head() is disturbing. I don't see =
anywhere
>> where the relationship between the buf's head/len and how svc_defer =
works is
>> authoritatively documented. It's not clear exactly how =
priv_unwrap_data is
>> supposed to accommodate svc_defer, or whether integ_unwrap_data also =
needs
>> to accommodate it.
>>=20
>> So I can't tell if the GSS unwrap functions are wrong or if there's a =
more
>> accurate way to compute the message length in nfsd_cache_csum. I =
suspect
>> both could use some improvement, but I'm not certain exactly what =
that
>> might be.
>=20
> I don't know, I tried looking through that code and didn't get any
> further than you.  The gss unwrap code does look suspect to me.  It
> needs some kind of proper design, as it stands it's just an =
accumulation
> of fixes.

Having recently completed overhauling the client-side equivalents, I
agree with you there.

I've now convinced myself that because nfsd_cache_csum might need to
advance into the first page of the Call message, rq_arg.head.iov_len
must contain an accurate length so that csum_partial is applied
correctly to the head buffer.

Therefore it is the preceding code that needs to set up =
rq_arg.head.iov_len
correctly. The GSS unwrap functions have to do this, and therefore these
must be fixed. I would theorize that svc_defer also depends on =
head.iov_len
being set correctly.

As far as how rq_arg.len needs to be set for svc_defer, I think I need
to have some kind of test case to examine how that path is triggered. =
Any
advice appreciated.


--
Chuck Lever